MXRT1020 usb device on internal flexspi, secure source code part on flexspi

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MXRT1020 usb device on internal flexspi, secure source code part on flexspi

Jump to solution
1,149 Views
vladimir_dolzhe
Contributor III
Hello.
The task is to make it possible to run the application on the imxt1020 board. The source code will be placed in the first half of the flash(internal flexspi), the second half will be available via usb (phat file system). I did this part using examples with the file system and creating a USB device.
 
The second part of the task is to encrypt the flash area with the source code(encrypt only half flexspi internal flash). Using https://github.com/JayHeng/NXP-MCUBootUtility and the NXP-MCUBootUtility app started to figure it out. Based on the description, in order to encrypt only part of the flash, I need to use BEE / OTFAD encryption.
 
Tried to download from https://www.cnblogs.com/henjay724/p/10189602.html image_enc and image_enc2. Nothing comes out. Can you provide access to these archives?
The next question is why is the Windows application used for flashing the board and encrypting the uboot? I work on the Linux platform, now I have not found a way, except how to use a script to flash the board: 1)./sdphost -t 50000 -p / dev / ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin - load bootloader to RAM
2) ./sdphost -t 50000 -p / dev / ttyACM0,115200 jump-address 0x20208400 - start bootloader
3) sleep 2- simple timeout
4) ./blhost -p / dev / ttyACM0.115200 fill-memory 0x2000 4 0xc0000007- configure FlexSpi
5) ./blhost -p / dev / ttyACM0,115200 configure-memory 0x9 0x2000
6) ./blhost -p / dev / ttyACM0.115200 flash-erase-region 0x60000000 0x10000
7) ./blhost -p / dev / ttyACM0.115200 write-memory 0x60000000 examples / flexspi_nor_edma_transfer.bin - program source code to flash.
 
sdphost and blhost for Linux. I program in uart mode. Is there a mbedwinSerial_1466 driver for Linux to flash the board in usb mode?
Can I flash board by mfgtool under Linux? I did not find such vid pid in supported devices.
 
Is there a similar NXP-MCUBootUtility application for Linux? Since, for example, to use the HAB encryption function, you need to do a lot of manipulations - https://www.cnblogs.com/henjay724/p/10219459.html.
 
Labels (1)
0 Kudos
Reply
1 Solution
1,133 Views
vladimir_dolzhe
Contributor III

Thanks for the answer. I will try this method. I use SDK for arm gcc. Now my example works fine without using encryption. Brief instruction:

1) Install arm gcc for cortex-m7
wget https://armkeil.blob.core.windows.net/developer/Files/downloads/gnu-rm/9-2019q4/gcc-arm-none-eabi-9-...
mkdir ~/opt
cp gcc-arm-none-eabi-9-2019-q4-major-x86_64-linux.tar.bz2 ~/opt
cd ~/opt
tar -xvf gcc-arm-none-eabi-9-2019-q4-major-x86_64-linux.tar.bz2
export ARMGCC_DIR=~/opt/gcc-arm-none-eabi-9-2019-q4-major

2) Build flexspi demo app (CMake 3.10 require)
cd SDK/boards/evkmimxrt1020/driver_examples/flexspi/nor/edma_transfer/armgcc
./build_all.sh

3) Generate bin file from elf
cd flexspi_nor_release
~/opt/gcc-arm-none-eabi-9-2019-q4-major/bin/arm-none-eabi-objcopy -O binary flexspi_nor_edma_transfer.elf flexspi_nor_edma_transfer.bin

4) Serial mode ON
Set board to serial mode and ON board. Check /dev/ttyACM0 is exist

5) Flash demo app to board
Load flashloader to memory
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
Execute flashloader
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
Fill and configure memory for FLEXSPI NOR
./blhost -p /dev/ttyACM0,115200 fill-memory 0x2000 4 0xc0000007
./blhost -p /dev/ttyACM0,115200 configure-memory 0x9 0x2000
Erase memory region
./blhost -p /dev/ttyACM0,115200 flash-erase-region 0x60000000 0x10000
Write demo app
./blhost -p /dev/ttyACM0,115200 write-memory 0x60000000 flexspi_nor_edma_transfer.bin

This part work good.

 

After that I want to try bee encrypt:

6) Flash demo bee encrypt to board
Encrypt flexspi region from offset 0x1000 with size 0x3FF000 and AES KEY 0123456789abcdeffedcba9876543210
image_enc.exe hw_eng=bee ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=1,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1

Remove padding 1K size
dd if=flexspi_nor_edma_transfer_bee_encrypted.bin of=flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin skip=1 bs=1024 count=200

Generate encrypt sb file
elftosb -f kinetis -V -c program_imxrt1020_qspi_encrypt_sw_gp2.bd -o boot_image_encrypt.sb flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin

Generate burn_fuse sb file
elftosb -f kinetis -V -c burn_fuse.bd -o burn_fuse.sb

Flash images
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
./blhost -p /dev/ttyACM0,115200 receive-sb-file burn_fuse.sb
./blhost -p /dev/ttyACM0,115200 reset
./blhost -p /dev/ttyACM0,115200 receive-sb-file boot_image_encrypt.sb

As far as I understand, polyfuse will be programmed here, will it be possible to return to normal boot later if something goes wrong? In this example, zero keys are used, how do I use my keys? Is it possible to compile the image_enc utility for Linux, there are sources for it. The customer wants to program the boards in a minimal way, using their encryption keys. To do this, he needs a minimal set of utilities (now it is: sdphost, blhost, elftosb, image_enc.exe).

My burn_fuse.bd:

sources {
}

constants {
}

section (0) {

# program SW_GP2
load fuse 0x76543210 > 0x29;
load fuse 0xfedcba98 > 0x2a;
load fuse 0x89abcdef > 0x2b;
load fuse 0x01234567 > 0x2c;

# Program BEE_KEY0_SEL
load fuse 0x00003000 > 0x6;
}

load fuse 0x00003000 > 0x6 - Is that correct to use only region0? what does it mean?(may be have any datasheet for that)

program_imxrt1020_qspi_encrypt_sw_gp2.bd:

sources {
myBinFile = extern (0);
}

section (0) {
load 0xc0000007 > 0x2000;
enable flexspinor 0x2000;
erase 0x60000000..0x60010000;
load 0xf000000f > 0x3000;
enable flexspinor 0x3000;
load myBinFile > 0x60000400;
}

Is that correct bd file?

View solution in original post

0 Kudos
Reply
4 Replies
1,134 Views
vladimir_dolzhe
Contributor III

Thanks for the answer. I will try this method. I use SDK for arm gcc. Now my example works fine without using encryption. Brief instruction:

1) Install arm gcc for cortex-m7
wget https://armkeil.blob.core.windows.net/developer/Files/downloads/gnu-rm/9-2019q4/gcc-arm-none-eabi-9-...
mkdir ~/opt
cp gcc-arm-none-eabi-9-2019-q4-major-x86_64-linux.tar.bz2 ~/opt
cd ~/opt
tar -xvf gcc-arm-none-eabi-9-2019-q4-major-x86_64-linux.tar.bz2
export ARMGCC_DIR=~/opt/gcc-arm-none-eabi-9-2019-q4-major

2) Build flexspi demo app (CMake 3.10 require)
cd SDK/boards/evkmimxrt1020/driver_examples/flexspi/nor/edma_transfer/armgcc
./build_all.sh

3) Generate bin file from elf
cd flexspi_nor_release
~/opt/gcc-arm-none-eabi-9-2019-q4-major/bin/arm-none-eabi-objcopy -O binary flexspi_nor_edma_transfer.elf flexspi_nor_edma_transfer.bin

4) Serial mode ON
Set board to serial mode and ON board. Check /dev/ttyACM0 is exist

5) Flash demo app to board
Load flashloader to memory
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
Execute flashloader
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
Fill and configure memory for FLEXSPI NOR
./blhost -p /dev/ttyACM0,115200 fill-memory 0x2000 4 0xc0000007
./blhost -p /dev/ttyACM0,115200 configure-memory 0x9 0x2000
Erase memory region
./blhost -p /dev/ttyACM0,115200 flash-erase-region 0x60000000 0x10000
Write demo app
./blhost -p /dev/ttyACM0,115200 write-memory 0x60000000 flexspi_nor_edma_transfer.bin

This part work good.

 

After that I want to try bee encrypt:

6) Flash demo bee encrypt to board
Encrypt flexspi region from offset 0x1000 with size 0x3FF000 and AES KEY 0123456789abcdeffedcba9876543210
image_enc.exe hw_eng=bee ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=1,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1

Remove padding 1K size
dd if=flexspi_nor_edma_transfer_bee_encrypted.bin of=flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin skip=1 bs=1024 count=200

Generate encrypt sb file
elftosb -f kinetis -V -c program_imxrt1020_qspi_encrypt_sw_gp2.bd -o boot_image_encrypt.sb flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin

Generate burn_fuse sb file
elftosb -f kinetis -V -c burn_fuse.bd -o burn_fuse.sb

Flash images
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
./blhost -p /dev/ttyACM0,115200 receive-sb-file burn_fuse.sb
./blhost -p /dev/ttyACM0,115200 reset
./blhost -p /dev/ttyACM0,115200 receive-sb-file boot_image_encrypt.sb

As far as I understand, polyfuse will be programmed here, will it be possible to return to normal boot later if something goes wrong? In this example, zero keys are used, how do I use my keys? Is it possible to compile the image_enc utility for Linux, there are sources for it. The customer wants to program the boards in a minimal way, using their encryption keys. To do this, he needs a minimal set of utilities (now it is: sdphost, blhost, elftosb, image_enc.exe).

My burn_fuse.bd:

sources {
}

constants {
}

section (0) {

# program SW_GP2
load fuse 0x76543210 > 0x29;
load fuse 0xfedcba98 > 0x2a;
load fuse 0x89abcdef > 0x2b;
load fuse 0x01234567 > 0x2c;

# Program BEE_KEY0_SEL
load fuse 0x00003000 > 0x6;
}

load fuse 0x00003000 > 0x6 - Is that correct to use only region0? what does it mean?(may be have any datasheet for that)

program_imxrt1020_qspi_encrypt_sw_gp2.bd:

sources {
myBinFile = extern (0);
}

section (0) {
load 0xc0000007 > 0x2000;
enable flexspinor 0x2000;
erase 0x60000000..0x60010000;
load 0xf000000f > 0x3000;
enable flexspinor 0x3000;
load myBinFile > 0x60000400;
}

Is that correct bd file?

0 Kudos
Reply
1,125 Views
vladimir_dolzhe
Contributor III

Try, it works all fine by mine instruction. I think one key aes will be enough for the customer(i don't use SRK hash yet - maybe later). image_enc build from source code, use mbetdtls github for dependency. All work's fine, thanks.

0 Kudos
Reply
1,120 Views
vladimir_dolzhe
Contributor III

Encrypt images with AES CTR: it seems like it works. But data in encrypted.bin file not changed after 0x1000 offset. Write only enc_region_hdr to offset 0x400. I change aes key many times, data was not changed after 0x1000 offset, source code in flex not encrypt by image_enc utility.....

1) I try to use AES ECB. Data changed, but nothing work:

./image_enc ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=0,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1

Remove padding 1K size
dd if=flexspi_nor_edma_transfer_bee_encrypted.bin of=flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin skip=1 bs=1024 count=200

Generate encrypt sb file
./elftosb -f kinetis -V -c program_imxrt1020_qspi_encrypt_sw_gp2.bd -o boot_image_encrypt.sb flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin

./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
./blhost -p /dev/ttyACM0,115200 receive-sb-file burn_fuse.sb
./blhost -p /dev/ttyACM0,115200 receive-sb-file boot_image_encrypt.sb - NOT WORK AFTER LOAD BOARD FROM FLEXSPI.

2)I try to use AES CTR :

./image_enc ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=1,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1

Remove padding 1K size
dd if=flexspi_nor_edma_transfer_bee_encrypted.bin of=flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin skip=1 bs=1024 count=200

Generate encrypt sb file
./elftosb -f kinetis -V -c program_imxrt1020_qspi_encrypt_sw_gp2.bd -o boot_image_encrypt.sb flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin

./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
./blhost -p /dev/ttyACM0,115200 receive-sb-file burn_fuse.sb
./blhost -p /dev/ttyACM0,115200 receive-sb-file boot_image_encrypt.sb - WORK AFTER LOAD BOARD FROM FLEXSPI.

The only difference is that I am using the parameter AES mode for image_enc...burn_fuse.bd and program_imxrt1020_qspi_encrypt_sw_gp2.bd used the same(AES key and params for region0 used the same). Why AES CTR work with this parameters, but AES ECB don't work? Why AES CTR mode do not encrypt data in region, only write enc_region hdr to offset 0x400? I tried change aes key in AES CTR mode, but change only header at offset 0x400, data do not changed....

The customer needs a simple option, encrypt the source code with an AES algorithm, place the keys in the OTP

0 Kudos
Reply
1,136 Views
jeremyzhou
NXP Employee
NXP Employee

Hi,
Thank you for your interest in NXP Semiconductor products and for the opportunity to serve you.
To provide the fastest possible support, I'd highly recommend you use the MCUXpresso Secure Provisioning tool instead of NXP-MCUBootUtility on Linux OS.
Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 Kudos
Reply